Authorization Data Model

1. A multiple application authorization process, comprising: receiving requests for authorization at a plurality of applications at run-time from users seeking access to protected resources, independently collecting, at the applications, respective authorization information at run-time from a central repository containing user information, the user information including dynamically variable role data defining generic roles in an organization and to which a user can be assigned, more than one user being assignable to a given generic role in the organization, the user information associating privileges with said generic roles in the organization based on their current respective definitions, and granting access to protected resources based on the authorization information collected at run-time in response to a given request; wherein the central repository contains dynamically variable responsibility data defining generic responsibilities that can be associated with multiple users; wherein the generic roles in the organization can be varied independently of the generic responsibilities and user associations with the generic roles in the organization; wherein the generic responsibilities can be varied independently of the generic roles in the organization and user associations with the generic responsibilities; wherein the receiving requests for authorization at a plurality of applications at run-time from users seeking access to protected resources comprises: receiving a request from one of the users seeking access to an object that is one of the protected resources, the one of the users being assigned to one of the generic roles and one of the generic responsibilities, the one of the generic roles being associated with privileges, the one of the generic responsibilities being associated with privileges; and wherein the granting access to protected resources based on the authorization information collected at run-time in response to a given request comprises: granting access to the protected resource based on the privileges associated with the one of the generic roles, the privileges associated with the one of the generic responsibilities and the object to which the one of the users seeks access.

2. The multiple application authorization process of claim 1 , wherein the step of granting access comprises dynamically deciding whether a user is authorized to access a given protected resource based on the current variable role data, rather than the user's identity, collected at run-time from the central repository.

3. The authorization process of claim 1 , wherein the one of the generic roles is a first one of the generic roles and wherein the one of the generic responsibilities is a first one of the generic responsibilities; wherein a second one of users is assigned to the first one of the generic roles and a second one of the generic responsibilities; and wherein a third one of the users is assigned to a second one of the generic roles and the first one of the generic responsibilities.

4. The authorization process of claim 1 , further comprising: altering said dynamically variable role data from time to time to change a definition of a given role independently of user associations; and making a current variable value of a privilege status, with respect to a given protected resource, associated with a currently defined role assigned to a user, available at run-time to one of the plurality of applications receiving the requests for authorization at run-time from users seeking access to protected resources.

5. The multiple application authorization process of claim 2 , wherein the collecting information step comprises querying a central data repository external to the application from which the user requests authorization.

6. The multiple application authorization process of claim 2 , further comprising altering role data to cause the privileges associated with a given role to change.

7. The multiple application authorization process of claim 6 , wherein the step of altering said role data for a given generic role is carried out independently of the responsibilities of users associated with a given generic role.

8. The multiple application authorization process of claim 6 , wherein the information collected from said repository including the current variable value of the privilege status with respect to the protected resource associated with a combination of the currently-defined generic role or roles and responsibilities assigned to the user requesting access.

9. The authorization process of claim 8 , wherein the step of altering said responsibility data for a given responsibility is carried out independently of the roles of users associated with the given generic responsibility.

10. The authorization process of claim 8 , wherein users are assigned to roles and responsibilities by decomposing a given user's positional functions and responsibilities into basic actions and objects to which the actions are applied, mapping the actions and objects onto respective generic roles and responsibilities stored in said repository, and assigning the respective roles and responsibilities to the user.

11. A system comprising: a plurality of applications receiving requests for authorization at run-time from users seeking access to protected resources; and a central repository storing user information including dynamically variable role data defining generic roles in an organization and to which a user can be assigned, more than one user being assignable to a given generic role in the organization, the user information associating privileges with said generic roles in the organization based on their current respective definitions; the plurality of applications to independently collect respective authorization information at run-time from the central repository and to grant access to protected resources based on the authorization information collected at run-time; wherein the central repository contains dynamically variable responsibility data defining generic responsibilities that can be associated with multiple users; wherein the generic roles in the organization can be varied independently of the generic responsibilities and user associations with the generic roles in the organization; wherein the generic responsibilities can be varied independently of the generic roles in the organization and user associations with the generic responsibilities; wherein the receiving requests for authorization at a plurality of applications at run-time from users seeking access to protected resources comprises: receiving a request from one of the users seeking access to an object that is one of the protected resources, the one of the users being assigned to one of the generic roles and one of the generic responsibilities, the one of the generic roles being associated with privileges, the one of the generic responsibilities being associated with privileges; and wherein to grant access to protected resources based on the authorization information collected at run-time in response to a given request comprises: to grant access to the protected resource based on the privileges associated with the one of the generic roles, the privileges associated with the one of the generic responsibilities and the object to which the one of the users seeks access.